We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress (CVE-2026-0691)

Nick Paliughi
On this page

Security Alert Summary

The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the handling of the black_email parameter. Authenticated users with administrator-level access (and above) can inject scripts that execute when an affected page is viewed. This issue specifically affects multisite installations and sites where unfiltered_html has been disabled.

CVE Details

  • CVE ID: CVE-2026-0691
  • Affected plugin / component: CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress
  • Affected versions: All versions up to and including 1.6.2
  • Published: January 17, 2026 at 7:16:01 AM UTC
  • Last modified: January 17, 2026 at 7:16:01 AM UTC
  • CVSS v3.1: Base Score 4.4 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated attacker with administrator-level privileges (CVSS Privileges Required: HIGH). No user interaction required (UI:N).
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-79 (Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping of the black_email parameter. The plugin stores attacker-controlled content that is later rendered in pages viewed by other users, allowing injected scripts to execute in those viewers’ browsers. The public records reference the plugin’s backend view file backend/views/settings/email_blacklist.phtml, which is associated with the handling of the email blacklist input.

This vulnerability only affects multisite installations and installations where unfiltered_html has been disabled, per the CVE description. Because the attacker must be authenticated with administrator-level privileges, the issue primarily enables script execution in the context of privileged pages rather than remote anonymous exploitation.

How This Could Impact Your Website

In a realistic scenario, a site owner or an administrator could be targeted by an authenticated attacker with admin-level access who adds a malicious entry via the email blacklist input. When other administrative users or staff access the injected settings page, the malicious script can run in their browsers. This can lead to limited confidentiality impacts (for example, exposure of user-related data accessible to that browser session) and integrity impacts (for example, the ability to modify content presented in the browser). Availability is not indicated as impacted by this vulnerability.

Practical consequences include exposure of internal user email addresses, increased risk of targeted phishing or social engineering against administrators and staff, and potential session-based attacks in the browsers of users who view the injected page. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and administrators.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your installation.
  • Monitor site and user activity logs for unusual behavior, especially changes to plugin settings or additions to blacklist entries.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: CubeWP 6 All-in-One Dynamic Content Framework Plugin Vulnerability (CVE-2025-12129)
Next Post
WordPress Security Bulletin: Payment Button for PayPal Plugin Vulnerability (CVE-2025-14463)